Additional security headers

.env.example

@@ -71,6 +71,7 @@ ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
 ENABLE_CSP=false
 CORS_ALLOWED_ORIGINS=null
+ENABLE_HSTS=false
 
 # --------------------------------------------
 # OPTIONAL: CACHE SETTINGS

app/Http/Kernel.php

@@ -17,15 +17,12 @@ class Kernel extends HttpKernel
         \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
         \Illuminate\Session\Middleware\StartSession::class,
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
-        \App\Http\Middleware\FrameGuard::class,
-        \App\Http\Middleware\XssProtectHeader::class,
-        \App\Http\Middleware\ReferrerPolicyHeader::class,
-        \App\Http\Middleware\ContentSecurityPolicyHeader::class,
-        \App\Http\Middleware\NosniffGuard::class,
         \Fideloper\Proxy\TrustProxies::class,
         \App\Http\Middleware\CheckForSetup::class,
         \App\Http\Middleware\CheckForDebug::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
+        \App\Http\Middleware\SecurityHeaders::class,
+
     ];
 
     /**

app/Http/Middleware/SecurityHeaders.php

@@ -0,0 +1,78 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class SecurityHeaders
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+
+    // See https://securityheaders.com/
+    private $unwantedHeaderList = [
+        'X-Powered-By',
+        'Server',
+    ];
+
+    public function handle($request, Closure $next)
+    {
+        $this->removeUnwantedHeaders($this->unwantedHeaderList);
+        $response = $next($request);
+
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+        $response->headers->set('X-XSS-Protection', '1; mode=block');
+        $response->headers->set('Feature-Policy', 'self');
+
+        // Defaults to same-origin if REFERRER_POLICY is not set in the .env
+        $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
+
+        // The .env var ALLOW_IFRAMING  defaults to false (which disallows IFRAMING)
+        // if not present, but some unique cases require this to be enabled.
+        // For example, some IT depts have IFRAMED Snipe-IT into their IT portal
+        // for convenience so while it is normally disallowed, there is
+        // an override that exists.
+
+        if (config('app.allow_iframing') == false) {
+            $response->headers->set('X-Frame-Options', 'DENY');
+        }
+
+
+        // This defaults to false to maintain backwards compatibility
+        // people who are not running Snipe-IT over TLS (shame, shame, shame!)
+        // Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
+        // https://letsencrypt.org
+
+        if (config('app.enable_hsts') === true) {
+            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+
+        // We have to exclude debug mode here because debugbar pulls from a CDN or two
+        // and it will break things.
+
+        if ((config('app.debug')!='true')  || (config('app.enable_csp')=='true')) {
+            $policy[] = "default-src 'self'";
+            $policy[] = "style-src 'self' 'unsafe-inline'";
+            $policy[] = "script-src 'self' 'unsafe-inline'";
+            $policy[] = "connect-src 'self'";
+            $policy[] = "object-src 'none'";
+            $policy[] = "font-src 'self' data:";
+            $policy[] = "img-src 'self' data: gravatar.com";
+            $policy = join(';', $policy);
+            $response->headers->set('Content-Security-Policy', $policy);
+        }
+
+        return $response;
+    }
+
+    private function removeUnwantedHeaders($headerList)
+    {
+        foreach ($headerList as $header)
+            header_remove($header);
+    }
+}

config/app.php

@@ -196,19 +196,33 @@
     'private_uploads' => storage_path().'/private_uploads',
 
 
+    /*
+   |--------------------------------------------------------------------------
+   | ALLOW I-FRAMING
+   |--------------------------------------------------------------------------
+   |
+   | Normal users will never need to edit this. This option lets you run
+   | Snipe-IT within an I-Frame, which is normally disabled by default for
+   | security reasons, to prevent clickjacking. It should normally be set to false.
+   |
+   */
+
+    'allow_iframing' => env('ALLOW_IFRAMING', false),
+
+
     /*
     |--------------------------------------------------------------------------
-    | ALLOW I-FRAMING
+    | ENABLE HTTP Strict Transport Security (HSTS)
     |--------------------------------------------------------------------------
     |
-    | Normal users will never need to edit this. This option lets you run
-    | Snipe-IT within an I-Frame, which is normally disabled by default for
-    | security reasons, to prevent clickjacking. It should normally be set to false.
+    | This is set to default false for backwards compatibilty but should be
+    | set to true if the hosting environment allows it.
+    |
+    | See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
     |
     */
 
-    'allow_iframing' => env('ALLOW_IFRAMING', false),
-
+    'enable_hsts' => env('ENABLE_HSTS', false),
 
     /*
     |--------------------------------------------------------------------------